Bugtraq mailing list archives
Re: [linux-security] Linux virus
From: jimd () STARSHINE ORG (Jim Dennis)
Date: Wed, 5 Feb 1997 02:16:16 -0800
Aleph One seems to have said:
ugh :) Today I became infected with the bliss virus, any info on this would be appreciated! How do I scan for files infected and is it possible to remove it? I first noticed the infection when running a program (not as root) messages flashed on the screen about transversing directories and such. The program (gimp) had been working fine since I downloaded the binary for gimp from their main site. The gimp people told me they have not been receiving complaints their binaries are infected, so something else must be the source.
....
I am presently using this to scan for it in my home dir: grep infected /home/peter/**/*(xD/) Any help would be great!!! Rgds, Peter. [mod: It looks as if lots of debugging strings are still in the binary. Odd that this "debugging version" would be in the wild. Peter, can you verify that it indeed is a virus? Unless it knows of ways to become root, you should be safe if you add a new user-account, place an infected binary and a few uninfected binaries in that users account. Make sure that you have an unmodified version available for comparison. On one hand I don't like to approve this until Peter has verified this, but on the other hand if there is really a linux-virus on the loose, you all would like to hear about it ASAP right? -- REW]
Peter and all, I've forwarded your message and the reply by Todd to the Chief AV Researcher at McAfee Associates (the premier PC Anti-virus company). Jimmy is a friend of mine (I used to be the sysadmin there) and has assured me that he will look into it first thing in the morning (he's here at my house now). This would be the first "live and in-the-wild" Linux virus that I've ever heard of -- have I been missing something? In any event -- McAfee may be able to add this to their existing uvscan product. uvscan scan Linux filesystems for DOS and Windows (including Word Macro) viruses. It may be possible for the AV team to simply add bliss' signature to the next release -- and it may even be possible for them to create a remover. However -- the current version of this is almost guaranteed not to detect or remove this (unless someone at McAfee's AV team discovered this without telling the boss). I noticed your detection mechanism -- it seems like we could add something to the zmagic file to allow the stock Linux 'file' command to identify Bliss infected binaries. Then a command like: find / -print | { while read i; do file $i | grep "Bliss Infected" && \ echo $i #do something about the infected files done } Would do the trick. An interim solution would be to simply rm all infected files and restore from CD or via FTP. If you could cut a tape or other backup of your system in its infected state it might be of interest to the McAfee team. Who knows how to update the zmagic file? Jimmy has asked me to let everyone on this list know that if you want updates on this issue -- or if you have further information, please feel free to forward it through me or directly to cjkuo () mcafee com. I suppose this would be a great time to recommend that more people get and install 'tripwire' and cops and that everyone use the 'chattr +i' command to help protect their libs and binaries from lame attacks such as these. tripwire and cops are available at the COAST archive at cs.purdue.edu Information about using 'chattr' to mark you files as immutable is in the Linux-Tips HOWTO (actually submitted to them by moi). Note -- currently the immutable flag under ext2fs is of limited security value since any root run program that wants to can simply chattr it back. However -- it would be effective against crude and lame attacks like this one (as described in Todd's excerpt). The addition of a BSD-like 'securelevel' (which is in the works for the 2.1 kernels) will make the "immutable" flag a viable security feature. A final note: This should serve as yet another reminder that we must always be aware of the trust that we place in the sources for all of our files. The fact that a system is a single-user workstation should not lull anyone of us into allowing the admin of that system to neglect proper ownership and permissions conventions. Here's a one line script to find any files on your path to which you have write access (run this under your normal login id). #! /bin/bash ## find.wx-files find $(echo $PATH | tr : " ") -type f | \ { while read i; do [ -x $i -a -w $i ] && ls -l $i ; done } While doing this I discovered several files that were writeable by me in my normal account (I was a member of the 'root' group. Red Hat 3.03 leaves a number of X11R6 binaries group writable. I've fixed that now (and permissions don't prevail over ext2fs attributes anyway). -- Jim Dennis, info () mail starshine org Proprietor, consulting () mail starshine org Starshine Technical Services http://www.starshine.org
Current thread:
- [linux-security] Linux virus Aleph One (Feb 04)
- Re: [linux-security] Linux virus Jim Dennis (Feb 05)
- Re: [linux-security] Re: Linux virus Alan Cox (Feb 05)
- Re: [linux-security] Re: Linux virus Leejay Wu (Feb 05)
- bliss version 0.4.0 nobody () INTERNIC NET (Feb 05)
- HPSBUX9702-052 Security Vulnerability in the rlogin executable Aleph One (Feb 05)
- [linux-security] Re: Linux virus Aleph One (Feb 06)
- setlocale() bug in all released versions of FreeBSD (SA-97:01) Aleph One (Feb 06)
- Wierd behavior of MS's NT4 DNS Jason T. Luttgens (Feb 07)
- New OFFICIAL patch for BSD/OS 2.1 (*SECURITY*) (fwd) Josh Gilliam (Feb 07)
- Bliss: The Facts Jared Mauch (Feb 08)
- view-source myst (Feb 08)
(Thread continues...)
- Re: [linux-security] Linux virus Jim Dennis (Feb 05)